openstack/tripleo-heat-templates
Code Issues Proposed changes
8e28fde39c
tripleo-heat-templates/deployment/heat/heat-api-cfn-container-puppet.yaml
Takashi Kajinami 3b80985e56 Assign project-scoped service role for token validation 
When SRBAC is enforced(*1), keystone requires one of the following
conditions for validate token api.
 1) The user has the service role assigned
 2) The user is a system reader
 3) The user generated the token

When authtoken middleware validates tokens in requests, it uses service
users to call the validate_token API of Keystone. In this case
the condition 3 is never met(The token is generated by an external user
while it is validated by the service user used in API). In addition,
currently all credentials used for authtoken middleware are
project-scoped, not system-scoped, so condition 2 is never met(*2) if
SRBAC is enforced.

This change adds the project-scoped service role to all service
users so that all service users can use the validate_token API even
if SRBAC is enforced. An alternative approach would be assign
the system-scoped reader role for these users and replace credentials
for authtoken middleware by system scoped one, but we are likely to
need additional considerations to establish proper design of
system-scoped role assignment.

(*1)
When scope evaluation is enforced(enforce_scope=True) and new rules
are enforced(enforce_new_defaults=True)

(*2)
There are a few exceptions like the nova user which already have
the project-scoped service role to use the service token feature.

Change-Id: I18acd8da7913e2136bfa67c858381ede6c1e3d24
2021-11-25 13:16:14 +09:00

229 lines
8.0 KiB
YAML
Raw Blame History

heat_template_version: wallaby
description: >
OpenStack containerized Heat API CFN service
parameters:
ContainerHeatApiCfnImage:
description: image
type: string
# puppet needs the heat-wsgi-api-cfn binary from centos-binary-heat-api-cfn
ContainerHeatApiCfnConfigImage:
description: The container image to use for the heat_api_cfn config_volume
type: string
HeatApiCfnLoggingSource:
type: json
default:
tag: openstack.heat.api.cfn
file: /var/log/containers/heat/heat_api_cfn.log
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
HeatWorkers:
default: 0
description: Number of workers for Heat service.
type: number
HeatPassword:
description: The password for the Heat service and db account, used by the Heat services.
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
MonitoringSubscriptionHeatApiCnf:
default: 'overcloud-heat-api-cfn'
type: string
conditions:
heat_workers_set:
not: {equals : [{get_param: HeatWorkers}, 0]}
resources:
ContainersCommon:
type: ../containers-common.yaml
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
EnableInternalTLS: {get_param: EnableInternalTLS}
HeatBase:
type: ./heat-base-puppet.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
HeatApiCfnLogging:
type: OS::TripleO::Services::Logging::HeatApiCfn
outputs:
role_data:
description: Role data for the Heat API CFN role.
value:
service_name: heat_api_cfn
firewall_rules:
'125 heat_cfn':
dport:
- 8000
- 13800
keystone_resources:
heat-cfn:
endpoints:
public: {get_param: [EndpointMap, HeatCfnPublic, uri]}
internal: {get_param: [EndpointMap, HeatCfnInternal, uri]}
admin: {get_param: [EndpointMap, HeatCfnAdmin, uri]}
users:
heat-cfn:
password: {get_param: HeatPassword}
roles:
- admin
- service
region: {get_param: KeystoneRegion}
service: 'cloudformation'
monitoring_subscription: {get_param: MonitoringSubscriptionHeatApiCnf}
config_settings:
map_merge:
- get_attr: [HeatBase, role_data, config_settings]
- get_attr: [HeatApiCfnLogging, config_settings]
- apache::default_vhost: false
heat::api_cfn::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HeatApiCfnNetwork]}
heat::wsgi::apache_api_cfn::ssl: {get_param: EnableInternalTLS}
heat::api_cfn::service_name: 'httpd'
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
heat::wsgi::apache_api_cfn::bind_host:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HeatApiCfnNetwork]}
heat::wsgi::apache_api_cfn::servername:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HeatApiCfnNetwork]}
- if:
- heat_workers_set
- heat::wsgi::apache_api_cfn::workers: {get_param: HeatWorkers}
service_config_settings:
rsyslog:
tripleo_logging_sources_heat_api_cfn:
- {get_param: HeatApiCfnLoggingSource}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: heat_api_cfn
puppet_tags: heat_config,file,concat,file_line
step_config: |
include tripleo::profile::base::heat::api_cfn
config_image: {get_param: ContainerHeatApiCfnConfigImage}
kolla_config:
/var/lib/kolla/config_files/heat_api_cfn.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.d"
dest: "/etc/httpd/conf.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/etc/httpd/conf.modules.d"
dest: "/etc/httpd/conf.modules.d"
merge: false
preserve_properties: true
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/heat
owner: heat:heat
recurse: true
docker_config:
step_2:
get_attr: [HeatApiCfnLogging, docker_config, step_2]
step_4:
heat_api_cfn:
image: {get_param: ContainerHeatApiCfnImage}
net: host
privileged: false
restart: always
# NOTE(mandre) kolla image changes the user to 'heat', we need it
# to be root to run httpd
user: root
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [HeatApiCfnLogging, volumes]}
-
- /var/lib/kolla/config_files/heat_api_cfn.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/heat_api_cfn:/var/lib/kolla/config_files/src:ro
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
host_prep_tasks: {get_attr: [HeatApiCfnLogging, host_prep_tasks]}
upgrade_tasks: []
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
deploy_steps_tasks:
get_attr: [ApacheServiceBase, role_data, deploy_steps_tasks]
external_upgrade_tasks:
- when:
- step|int == 1
tags:
- never
- system_upgrade_transfer_data
- system_upgrade_stop_services
block:
- name: Stop heat cfn container
import_role:
name: tripleo_container_stop
vars:
tripleo_containers_to_stop:
- heat_api_cfn
tripleo_delegate_to: "{{ groups['heat_api_cfn'] | default([]) }}"
View Git Blame Copy Permalink